mobbdev 1.1.6 → 1.1.8

package/dist/args/commands/upload_ai_blame.d.mts

@@ -7,6 +7,16 @@ declare enum AiBlameInferenceType {
     TabAutocomplete = "TAB_AUTOCOMPLETE"
 }
 
+type SanitizationCounts = {
+    pii: {
+        total: number;
+        high: number;
+        medium: number;
+        low: number;
+    };
+    secrets: number;
+};
+
 declare const PromptItemZ: z.ZodObject<{
     type: z.ZodEnum<["USER_PROMPT", "AI_RESPONSE", "TOOL_EXECUTION", "AI_THINKING"]>;
     attachedFiles: z.ZodOptional<z.ZodArray<z.ZodObject<{
@@ -41,26 +51,18 @@ declare const PromptItemZ: z.ZodObject<{
         name: string;
         parameters: string;
         result: string;
-        accepted?: boolean | undefined;
         rawArguments?: string | undefined;
+        accepted?: boolean | undefined;
     }, {
         name: string;
         parameters: string;
         result: string;
-        accepted?: boolean | undefined;
         rawArguments?: string | undefined;
+        accepted?: boolean | undefined;
     }>>;
 }, "strip", z.ZodTypeAny, {
     type: "USER_PROMPT" | "AI_RESPONSE" | "TOOL_EXECUTION" | "AI_THINKING";
-    tool?: {
-        name: string;
-        parameters: string;
-        result: string;
-        accepted?: boolean | undefined;
-        rawArguments?: string | undefined;
-    } | undefined;
     date?: Date | undefined;
-    text?: string | undefined;
     attachedFiles?: {
         relativePath: string;
         startLine?: number | undefined;
@@ -69,17 +71,17 @@ declare const PromptItemZ: z.ZodObject<{
         inputCount: number;
         outputCount: number;
     } | undefined;
-}, {
-    type: "USER_PROMPT" | "AI_RESPONSE" | "TOOL_EXECUTION" | "AI_THINKING";
+    text?: string | undefined;
     tool?: {
         name: string;
         parameters: string;
         result: string;
-        accepted?: boolean | undefined;
         rawArguments?: string | undefined;
+        accepted?: boolean | undefined;
     } | undefined;
+}, {
+    type: "USER_PROMPT" | "AI_RESPONSE" | "TOOL_EXECUTION" | "AI_THINKING";
     date?: Date | undefined;
-    text?: string | undefined;
     attachedFiles?: {
         relativePath: string;
         startLine?: number | undefined;
@@ -88,6 +90,14 @@ declare const PromptItemZ: z.ZodObject<{
         inputCount: number;
         outputCount: number;
     } | undefined;
+    text?: string | undefined;
+    tool?: {
+        name: string;
+        parameters: string;
+        result: string;
+        rawArguments?: string | undefined;
+        accepted?: boolean | undefined;
+    } | undefined;
 }>;
 type PromptItem = z.infer<typeof PromptItemZ>;
 declare const PromptItemArrayZ: z.ZodArray<z.ZodObject<{
@@ -124,26 +134,18 @@ declare const PromptItemArrayZ: z.ZodArray<z.ZodObject<{
         name: string;
         parameters: string;
         result: string;
-        accepted?: boolean | undefined;
         rawArguments?: string | undefined;
+        accepted?: boolean | undefined;
     }, {
         name: string;
         parameters: string;
         result: string;
-        accepted?: boolean | undefined;
         rawArguments?: string | undefined;
+        accepted?: boolean | undefined;
     }>>;
 }, "strip", z.ZodTypeAny, {
     type: "USER_PROMPT" | "AI_RESPONSE" | "TOOL_EXECUTION" | "AI_THINKING";
-    tool?: {
-        name: string;
-        parameters: string;
-        result: string;
-        accepted?: boolean | undefined;
-        rawArguments?: string | undefined;
-    } | undefined;
     date?: Date | undefined;
-    text?: string | undefined;
     attachedFiles?: {
         relativePath: string;
         startLine?: number | undefined;
@@ -152,17 +154,17 @@ declare const PromptItemArrayZ: z.ZodArray<z.ZodObject<{
         inputCount: number;
         outputCount: number;
     } | undefined;
-}, {
-    type: "USER_PROMPT" | "AI_RESPONSE" | "TOOL_EXECUTION" | "AI_THINKING";
+    text?: string | undefined;
     tool?: {
         name: string;
         parameters: string;
         result: string;
-        accepted?: boolean | undefined;
         rawArguments?: string | undefined;
+        accepted?: boolean | undefined;
     } | undefined;
+}, {
+    type: "USER_PROMPT" | "AI_RESPONSE" | "TOOL_EXECUTION" | "AI_THINKING";
     date?: Date | undefined;
-    text?: string | undefined;
     attachedFiles?: {
         relativePath: string;
         startLine?: number | undefined;
@@ -171,6 +173,14 @@ declare const PromptItemArrayZ: z.ZodArray<z.ZodObject<{
         inputCount: number;
         outputCount: number;
     } | undefined;
+    text?: string | undefined;
+    tool?: {
+        name: string;
+        parameters: string;
+        result: string;
+        rawArguments?: string | undefined;
+        accepted?: boolean | undefined;
+    } | undefined;
 }>, "many">;
 type PromptItemArray = z.infer<typeof PromptItemArrayZ>;
 type UploadAiBlameOptions = {
@@ -185,6 +195,12 @@ type UploadAiBlameOptions = {
     'blame-type'?: AiBlameInferenceType[];
 };
 declare function uploadAiBlameBuilder(args: Yargs.Argv<unknown>): Yargs.Argv<UploadAiBlameOptions>;
+type UploadAiBlameResult = {
+    promptsCounts: SanitizationCounts;
+    inferenceCounts: SanitizationCounts;
+    promptsUUID?: string;
+    inferenceUUID?: string;
+};
 declare function uploadAiBlameHandlerFromExtension(args: {
     prompts: PromptItemArray;
     inference: string;
@@ -192,7 +208,7 @@ declare function uploadAiBlameHandlerFromExtension(args: {
     tool: string;
     responseTime: string;
     blameType?: AiBlameInferenceType;
-}): Promise<void>;
+}): Promise<UploadAiBlameResult>;
 declare function uploadAiBlameHandler(args: UploadAiBlameOptions, exitOnError?: boolean): Promise<void>;
 
-export { type PromptItem, type PromptItemArray, type UploadAiBlameOptions, uploadAiBlameBuilder, uploadAiBlameHandler, uploadAiBlameHandlerFromExtension };
+export { type PromptItem, type PromptItemArray, type UploadAiBlameOptions, type UploadAiBlameResult, uploadAiBlameBuilder, uploadAiBlameHandler, uploadAiBlameHandlerFromExtension };

package/dist/args/commands/upload_ai_blame.mjs

@@ -736,7 +736,7 @@ var GetVulByNodesMetadataDocument = `
     where: {id: {_eq: $vulnerabilityReportId}}
   ) {
     vulnerabilityReportIssues(
-      where: {fixId: {_is_null: true}, category: {_in: [Irrelevant, FalsePositive, Filtered]}}
+      where: {fixId: {_is_null: true}, category: {_in: [Irrelevant, FalsePositive, Filtered]}, _not: {vulnerabilityReportIssueTags: {vulnerability_report_issue_tag_value: {_eq: SUPPRESSED}}}}
     ) {
       id
       safeIssueType
@@ -5128,6 +5128,143 @@ async function uploadFile({
   logInfo(`FileUpload: upload file done`);
 }
 
+// src/utils/sanitize-sensitive-data.ts
+import { OpenRedaction } from "@openredaction/openredaction";
+import { spawn } from "child_process";
+import { installGitleaks } from "gitleaks-secret-scanner/lib/installer.js";
+var openRedaction = new OpenRedaction();
+var gitleaksBinaryPath = null;
+async function initializeGitleaks() {
+  try {
+    gitleaksBinaryPath = await installGitleaks({ version: "8.27.2" });
+    return gitleaksBinaryPath;
+  } catch {
+    return null;
+  }
+}
+var gitleaksInitPromise = initializeGitleaks();
+async function detectSecretsWithGitleaks(text) {
+  const secrets = /* @__PURE__ */ new Set();
+  const binaryPath = gitleaksBinaryPath || await gitleaksInitPromise;
+  if (!binaryPath) {
+    return secrets;
+  }
+  return new Promise((resolve) => {
+    const gitleaks = spawn(
+      binaryPath,
+      [
+        "detect",
+        "--pipe",
+        "--no-banner",
+        "--exit-code",
+        "0",
+        "--report-format",
+        "json"
+      ],
+      {
+        stdio: ["pipe", "pipe", "ignore"]
+      }
+    );
+    let output = "";
+    gitleaks.stdout.on("data", (data) => {
+      output += data.toString();
+    });
+    gitleaks.on("close", () => {
+      try {
+        const findings = JSON.parse(output);
+        if (Array.isArray(findings)) {
+          for (const finding of findings) {
+            if (finding.Secret) {
+              secrets.add(finding.Secret);
+            }
+          }
+        }
+      } catch {
+      }
+      resolve(secrets);
+    });
+    gitleaks.on("error", () => {
+      resolve(secrets);
+    });
+    gitleaks.stdin.write(text);
+    gitleaks.stdin.end();
+  });
+}
+function maskString(str, showStart = 2, showEnd = 2) {
+  if (str.length <= showStart + showEnd) {
+    return "*".repeat(str.length);
+  }
+  return str.slice(0, showStart) + "*".repeat(str.length - showStart - showEnd) + str.slice(-showEnd);
+}
+async function sanitizeDataWithCounts(obj) {
+  const counts = {
+    pii: { total: 0, high: 0, medium: 0, low: 0 },
+    secrets: 0
+  };
+  const sanitizeString = async (str) => {
+    let result = str;
+    const piiDetections = openRedaction.scan(str);
+    if (piiDetections && piiDetections.total > 0) {
+      const allDetections = [
+        ...piiDetections.high,
+        ...piiDetections.medium,
+        ...piiDetections.low
+      ];
+      const filteredDetections = allDetections.filter((detection) => {
+        if (detection.type === "INSTAGRAM_USERNAME") {
+          return false;
+        }
+        if (detection.value.length < 3 && detection.severity !== "high") {
+          return false;
+        }
+        return true;
+      });
+      for (const detection of filteredDetections) {
+        counts.pii.total++;
+        if (detection.severity === "high") counts.pii.high++;
+        else if (detection.severity === "medium") counts.pii.medium++;
+        else if (detection.severity === "low") counts.pii.low++;
+        const masked = maskString(detection.value);
+        result = result.replaceAll(detection.value, masked);
+      }
+    }
+    const secrets = await detectSecretsWithGitleaks(result);
+    counts.secrets += secrets.size;
+    for (const secret of secrets) {
+      const masked = maskString(secret);
+      result = result.replaceAll(secret, masked);
+    }
+    return result;
+  };
+  const sanitizeRecursive = async (data) => {
+    if (typeof data === "string") {
+      return sanitizeString(data);
+    } else if (Array.isArray(data)) {
+      return Promise.all(data.map((item) => sanitizeRecursive(item)));
+    } else if (data instanceof Error) {
+      return data;
+    } else if (data instanceof Date) {
+      return data;
+    } else if (typeof data === "object" && data !== null) {
+      const sanitized = {};
+      const record = data;
+      for (const key in record) {
+        if (Object.prototype.hasOwnProperty.call(record, key)) {
+          sanitized[key] = await sanitizeRecursive(record[key]);
+        }
+      }
+      return sanitized;
+    }
+    return data;
+  };
+  const sanitizedData = await sanitizeRecursive(obj);
+  return { sanitizedData, counts };
+}
+async function sanitizeData(obj) {
+  const result = await sanitizeDataWithCounts(obj);
+  return result.sanitizedData;
+}
+
 // src/args/commands/upload_ai_blame.ts
 var PromptItemZ = z26.object({
   type: z26.enum(["USER_PROMPT", "AI_RESPONSE", "TOOL_EXECUTION", "AI_THINKING"]),
@@ -5197,15 +5334,32 @@ async function uploadAiBlameHandlerFromExtension(args) {
     aiResponseAt: [],
     blameType: []
   };
+  let promptsCounts;
+  let inferenceCounts;
+  let promptsUUID;
+  let inferenceUUID;
   await withFile(async (promptFile) => {
+    const promptsResult = await sanitizeDataWithCounts(args.prompts);
+    promptsCounts = promptsResult.counts;
+    promptsUUID = path6.basename(promptFile.path, path6.extname(promptFile.path));
     await fsPromises2.writeFile(
       promptFile.path,
-      JSON.stringify(args.prompts, null, 2),
+      JSON.stringify(promptsResult.sanitizedData, null, 2),
       "utf-8"
     );
     uploadArgs.prompt.push(promptFile.path);
     await withFile(async (inferenceFile) => {
-      await fsPromises2.writeFile(inferenceFile.path, args.inference, "utf-8");
+      const inferenceResult = await sanitizeDataWithCounts(args.inference);
+      inferenceCounts = inferenceResult.counts;
+      inferenceUUID = path6.basename(
+        inferenceFile.path,
+        path6.extname(inferenceFile.path)
+      );
+      await fsPromises2.writeFile(
+        inferenceFile.path,
+        inferenceResult.sanitizedData,
+        "utf-8"
+      );
       uploadArgs.inference.push(inferenceFile.path);
       uploadArgs.model.push(args.model);
       uploadArgs.toolName.push(args.tool);
@@ -5214,6 +5368,12 @@ async function uploadAiBlameHandlerFromExtension(args) {
       await uploadAiBlameHandler(uploadArgs, false);
     });
   });
+  return {
+    promptsCounts,
+    inferenceCounts,
+    promptsUUID,
+    inferenceUUID
+  };
 }
 async function uploadAiBlameHandler(args, exitOnError = true) {
   const prompts = args.prompt || [];
@@ -5260,8 +5420,11 @@ async function uploadAiBlameHandler(args, exitOnError = true) {
   const authenticatedClient = await getAuthenticatedGQLClient({
     isSkipPrompts: true
   });
-  const initRes = await authenticatedClient.uploadAIBlameInferencesInitRaw({
+  const sanitizedSessions = await sanitizeData(
     sessions
+  );
+  const initRes = await authenticatedClient.uploadAIBlameInferencesInitRaw({
+    sessions: sanitizedSessions
   });
   const uploadSessions = initRes.uploadAIBlameInferencesInit?.uploadSessions ?? [];
   if (uploadSessions.length !== sessions.length) {
@@ -5305,8 +5468,11 @@ async function uploadAiBlameHandler(args, exitOnError = true) {
       blameType: s.blameType
     };
   });
+  const sanitizedFinalizeSessions = await sanitizeData(
+    finalizeSessions
+  );
   const finRes = await authenticatedClient.finalizeAIBlameInferencesUploadRaw({
-    sessions: finalizeSessions
+    sessions: sanitizedFinalizeSessions
   });
   const status = finRes?.finalizeAIBlameInferencesUpload?.status;
   if (status !== "OK") {

package/dist/index.mjs

@@ -1996,7 +1996,7 @@ var GetVulByNodesMetadataDocument = `
     where: {id: {_eq: $vulnerabilityReportId}}
   ) {
     vulnerabilityReportIssues(
-      where: {fixId: {_is_null: true}, category: {_in: [Irrelevant, FalsePositive, Filtered]}}
+      where: {fixId: {_is_null: true}, category: {_in: [Irrelevant, FalsePositive, Filtered]}, _not: {vulnerabilityReportIssueTags: {vulnerability_report_issue_tag_value: {_eq: SUPPRESSED}}}}
     ) {
       id
       safeIssueType
@@ -7512,6 +7512,61 @@ var GET_BLAME_DOCUMENT = `
         }
       }
     `;
+var GITHUB_GRAPHQL_FRAGMENTS = {
+  /**
+   * Fragment for fetching PR additions/deletions.
+   * Use with pullRequest(number: $n) alias.
+   */
+  PR_CHANGES: `
+    additions
+    deletions
+  `,
+  /**
+   * Fragment for fetching PR comments.
+   * Returns first 100 comments with author info.
+   */
+  PR_COMMENTS: `
+    comments(first: 100) {
+      nodes {
+        author {
+          login
+          __typename
+        }
+        body
+      }
+    }
+  `,
+  /**
+   * Fragment for fetching blame data.
+   * Use with object(expression: $ref) on Commit type.
+   */
+  BLAME_RANGES: `
+    blame(path: "$path") {
+      ranges {
+        startingLine
+        endingLine
+        commit {
+          oid
+          author {
+            user {
+              name
+              login
+              email
+            }
+          }
+        }
+      }
+    }
+  `,
+  /**
+   * Fragment for fetching commit timestamp.
+   * Use with object(oid: $sha) on Commit type.
+   */
+  COMMIT_TIMESTAMP: `
+    oid
+    committedDate
+  `
+};
 
 // src/features/analysis/scm/github/utils/encrypt_secret.ts
 import sodium from "libsodium-wrappers";
@@ -7649,6 +7704,36 @@ async function githubValidateParams(url, accessToken) {
 
 // src/features/analysis/scm/github/github.ts
 var MAX_GH_PR_BODY_LENGTH = 65536;
+async function executeBatchGraphQL(octokit, owner, repo, config2) {
+  const { items, aliasPrefix, buildFragment, extractResult } = config2;
+  if (items.length === 0) {
+    return /* @__PURE__ */ new Map();
+  }
+  const fragments = items.map((item, index) => buildFragment(item, index)).join("\n");
+  const query = `
+    query Batch${aliasPrefix}($owner: String!, $repo: String!) {
+      repository(owner: $owner, name: $repo) {
+        ${fragments}
+      }
+    }
+  `;
+  const response = await octokit.graphql(query, { owner, repo });
+  const result = /* @__PURE__ */ new Map();
+  items.forEach((item, index) => {
+    const data = response.repository[`${aliasPrefix}${index}`];
+    if (data) {
+      const extracted = extractResult(
+        data,
+        item,
+        index
+      );
+      if (extracted !== void 0) {
+        result.set(item, extracted);
+      }
+    }
+  });
+  return result;
+}
 function getGithubSdk(params = {}) {
   const octokit = getOctoKit(params);
   return {
@@ -8114,6 +8199,125 @@ function getGithubSdk(params = {}) {
         pull_number: params2.pull_number
       });
       return { data };
+    },
+    /**
+     * Batch fetch additions/deletions for multiple PRs via GraphQL.
+     * Uses GITHUB_GRAPHQL_FRAGMENTS.PR_CHANGES for the field selection.
+     */
+    async getPrAdditionsDeletionsBatch(params2) {
+      return executeBatchGraphQL(octokit, params2.owner, params2.repo, {
+        items: params2.prNumbers,
+        aliasPrefix: "pr",
+        buildFragment: (prNumber, index) => `
+          pr${index}: pullRequest(number: ${prNumber}) {
+            ${GITHUB_GRAPHQL_FRAGMENTS.PR_CHANGES}
+          }`,
+        extractResult: (data) => {
+          const prData = data;
+          if (prData.additions !== void 0 && prData.deletions !== void 0) {
+            return {
+              additions: prData.additions,
+              deletions: prData.deletions
+            };
+          }
+          return void 0;
+        }
+      });
+    },
+    /**
+     * Batch fetch comments for multiple PRs via GraphQL.
+     * Uses GITHUB_GRAPHQL_FRAGMENTS.PR_COMMENTS for the field selection.
+     */
+    async getPrCommentsBatch(params2) {
+      return executeBatchGraphQL(octokit, params2.owner, params2.repo, {
+        items: params2.prNumbers,
+        aliasPrefix: "pr",
+        buildFragment: (prNumber, index) => `
+          pr${index}: pullRequest(number: ${prNumber}) {
+            ${GITHUB_GRAPHQL_FRAGMENTS.PR_COMMENTS}
+          }`,
+        extractResult: (data) => {
+          const prData = data;
+          if (prData.comments?.nodes) {
+            return prData.comments.nodes.map((node) => ({
+              author: node.author ? { login: node.author.login, type: node.author.__typename } : null,
+              body: node.body
+            }));
+          }
+          return void 0;
+        }
+      });
+    },
+    /**
+     * Batch fetch blame data for multiple files via GraphQL.
+     * Field selection matches GITHUB_GRAPHQL_FRAGMENTS.BLAME_RANGES pattern.
+     */
+    async getBlameBatch(params2) {
+      return executeBatchGraphQL(octokit, params2.owner, params2.repo, {
+        items: params2.filePaths,
+        aliasPrefix: "file",
+        buildFragment: (path22, index) => `
+          file${index}: object(expression: "${params2.ref}") {
+            ... on Commit {
+              blame(path: "${path22}") {
+                ranges {
+                  startingLine
+                  endingLine
+                  commit {
+                    oid
+                    author {
+                      user {
+                        name
+                        login
+                        email
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          }`,
+        extractResult: (data) => {
+          const fileData = data;
+          if (fileData.blame?.ranges) {
+            return fileData.blame.ranges.map((range) => ({
+              startingLine: range.startingLine,
+              endingLine: range.endingLine,
+              commitSha: range.commit.oid,
+              email: range.commit.author.user?.email || "",
+              name: range.commit.author.user?.name || "",
+              login: range.commit.author.user?.login || ""
+            }));
+          }
+          return void 0;
+        }
+      });
+    },
+    /**
+     * Batch fetch commit timestamps for multiple commits via GraphQL.
+     * Uses GITHUB_GRAPHQL_FRAGMENTS.COMMIT_TIMESTAMP for the field selection.
+     */
+    async getCommitsBatch(params2) {
+      return executeBatchGraphQL(octokit, params2.owner, params2.repo, {
+        items: params2.commitShas,
+        aliasPrefix: "commit",
+        buildFragment: (sha, index) => `
+          commit${index}: object(oid: "${sha}") {
+            ... on Commit {
+              ${GITHUB_GRAPHQL_FRAGMENTS.COMMIT_TIMESTAMP}
+            }
+          }`,
+        extractResult: (data) => {
+          const commitData = data;
+          if (commitData.oid && commitData.committedDate) {
+            return {
+              sha: commitData.oid,
+              timestamp: new Date(commitData.committedDate)
+            };
+          }
+          return void 0;
+        }
+      });
     }
   };
 }
@@ -8382,7 +8586,7 @@ var GithubSCMLib = class extends SCMLib {
       comment_id: commentId
     });
   }
-  async getCommitDiff(commitSha) {
+  async getCommitDiff(commitSha, options) {
     this._validateAccessTokenAndUrl();
     const { owner, repo } = parseGithubOwnerAndRepo(this.url);
     const { commit, diff } = await this.githubSdk.getCommitWithDiff({
@@ -8393,43 +8597,49 @@ var GithubSCMLib = class extends SCMLib {
     const commitTimestamp = commit.commit.committer?.date ? new Date(commit.commit.committer.date) : new Date(commit.commit.author?.date || Date.now());
     let parentCommits;
     if (commit.parents && commit.parents.length > 0) {
+      if (options?.parentCommitTimestamps) {
+        parentCommits = commit.parents.map((p) => options.parentCommitTimestamps.get(p.sha)).filter((p) => p !== void 0);
+      } else {
+        try {
+          parentCommits = await Promise.all(
+            commit.parents.map(async (parent) => {
+              const parentCommit = await this.githubSdk.getCommit({
+                owner,
+                repo,
+                commitSha: parent.sha
+              });
+              const parentTimestamp = parentCommit.data.committer?.date ? new Date(parentCommit.data.committer.date) : new Date(Date.now());
+              return {
+                sha: parent.sha,
+                timestamp: parentTimestamp
+              };
+            })
+          );
+        } catch (error) {
+          console.error("Failed to fetch parent commit timestamps", {
+            error,
+            commitSha,
+            owner,
+            repo
+          });
+          parentCommits = void 0;
+        }
+      }
+    }
+    let repositoryCreatedAt = options?.repositoryCreatedAt;
+    if (repositoryCreatedAt === void 0) {
       try {
-        parentCommits = await Promise.all(
-          commit.parents.map(async (parent) => {
-            const parentCommit = await this.githubSdk.getCommit({
-              owner,
-              repo,
-              commitSha: parent.sha
-            });
-            const parentTimestamp = parentCommit.data.committer?.date ? new Date(parentCommit.data.committer.date) : new Date(Date.now());
-            return {
-              sha: parent.sha,
-              timestamp: parentTimestamp
-            };
-          })
-        );
+        const repoData = await this.githubSdk.getRepository({ owner, repo });
+        repositoryCreatedAt = repoData.data.created_at ? new Date(repoData.data.created_at) : void 0;
       } catch (error) {
-        console.error("Failed to fetch parent commit timestamps", {
+        console.error("Failed to fetch repository creation date", {
           error,
-          commitSha,
           owner,
           repo
         });
-        parentCommits = void 0;
+        repositoryCreatedAt = void 0;
       }
     }
-    let repositoryCreatedAt;
-    try {
-      const repoData = await this.githubSdk.getRepository({ owner, repo });
-      repositoryCreatedAt = repoData.data.created_at ? new Date(repoData.data.created_at) : void 0;
-    } catch (error) {
-      console.error("Failed to fetch repository creation date", {
-        error,
-        owner,
-        repo
-      });
-      repositoryCreatedAt = void 0;
-    }
     return {
       diff,
       commitTimestamp,
@@ -8445,15 +8655,37 @@ var GithubSCMLib = class extends SCMLib {
     this._validateAccessTokenAndUrl();
     const { owner, repo } = parseGithubOwnerAndRepo(this.url);
     const prNumber = Number(submitRequestId);
-    const [prRes, commitsRes, filesRes] = await Promise.all([
+    const [prRes, commitsRes, filesRes, repoData] = await Promise.all([
       this.githubSdk.getPr({ owner, repo, pull_number: prNumber }),
       this.githubSdk.getPrCommits({ owner, repo, pull_number: prNumber }),
-      this.githubSdk.listPRFiles({ owner, repo, pull_number: prNumber })
+      this.githubSdk.listPRFiles({ owner, repo, pull_number: prNumber }),
+      this.githubSdk.getRepository({ owner, repo })
     ]);
     const pr = prRes.data;
-    const prDiff = await this.getPrDiff({ pull_number: prNumber });
+    const repositoryCreatedAt = repoData.data.created_at ? new Date(repoData.data.created_at) : void 0;
+    const allParentShas = /* @__PURE__ */ new Set();
+    for (const commit of commitsRes.data) {
+      if (commit.parents) {
+        for (const parent of commit.parents) {
+          allParentShas.add(parent.sha);
+        }
+      }
+    }
+    const [parentCommitTimestamps, prDiff] = await Promise.all([
+      this.githubSdk.getCommitsBatch({
+        owner,
+        repo,
+        commitShas: Array.from(allParentShas)
+      }),
+      this.getPrDiff({ pull_number: prNumber })
+    ]);
     const commits = await Promise.all(
-      commitsRes.data.map((commit) => this.getCommitDiff(commit.sha))
+      commitsRes.data.map(
+        (commit) => this.getCommitDiff(commit.sha, {
+          repositoryCreatedAt,
+          parentCommitTimestamps
+        })
+      )
     );
     const diffLines = await this._attributeLinesViaBlame(
       pr.head.ref,
@@ -8480,104 +8712,83 @@ var GithubSCMLib = class extends SCMLib {
     this._validateAccessToken();
     const { owner, repo } = parseGithubOwnerAndRepo(repoUrl);
     const pullsRes = await this.githubSdk.getRepoPullRequests({ owner, repo });
-    const submitRequests = await Promise.all(
-      pullsRes.data.map(async (pr) => {
-        let status = "open";
-        if (pr.state === "closed") {
-          status = pr.merged_at ? "merged" : "closed";
-        } else if (pr.draft) {
-          status = "draft";
-        }
-        const [tickets, changedLines] = await Promise.all([
-          this._extractLinearTicketsFromPR(owner, repo, pr.number),
-          this._calculateChangedLinesFromPR(owner, repo, pr.number)
-        ]);
-        return {
-          submitRequestId: String(pr.number),
-          submitRequestNumber: pr.number,
-          title: pr.title,
-          status,
-          sourceBranch: pr.head.ref,
-          targetBranch: pr.base.ref,
-          authorName: pr.user?.name || pr.user?.login,
-          authorEmail: pr.user?.email || void 0,
-          createdAt: new Date(pr.created_at),
-          updatedAt: new Date(pr.updated_at),
-          description: pr.body || void 0,
-          tickets,
-          changedLines
-        };
-      })
-    );
+    const prNumbers = pullsRes.data.map((pr) => pr.number);
+    const [additionsDeletionsMap, commentsMap] = await Promise.all([
+      this.githubSdk.getPrAdditionsDeletionsBatch({ owner, repo, prNumbers }),
+      this.githubSdk.getPrCommentsBatch({ owner, repo, prNumbers })
+    ]);
+    const submitRequests = pullsRes.data.map((pr) => {
+      let status = "open";
+      if (pr.state === "closed") {
+        status = pr.merged_at ? "merged" : "closed";
+      } else if (pr.draft) {
+        status = "draft";
+      }
+      const changedLinesData = additionsDeletionsMap.get(pr.number);
+      const changedLines = changedLinesData ? {
+        added: changedLinesData.additions,
+        removed: changedLinesData.deletions
+      } : { added: 0, removed: 0 };
+      const comments = commentsMap.get(pr.number) || [];
+      const tickets = this._extractLinearTicketsFromComments(comments);
+      return {
+        submitRequestId: String(pr.number),
+        submitRequestNumber: pr.number,
+        title: pr.title,
+        status,
+        sourceBranch: pr.head.ref,
+        targetBranch: pr.base.ref,
+        authorName: pr.user?.name || pr.user?.login,
+        authorEmail: pr.user?.email || void 0,
+        createdAt: new Date(pr.created_at),
+        updatedAt: new Date(pr.updated_at),
+        description: pr.body || void 0,
+        tickets,
+        changedLines
+      };
+    });
     return submitRequests;
   }
-  async _extractLinearTicketsFromPR(owner, repo, prNumber) {
-    try {
-      const commentsRes = await this.githubSdk.getGeneralPrComments({
-        owner,
-        repo,
-        issue_number: prNumber
-      });
-      const tickets = [];
-      for (const comment of commentsRes.data) {
-        if (comment.user?.login === "linear[bot]" || comment.user?.type === "Bot") {
-          const htmlLinkPattern = /<a href="(https:\/\/linear\.app\/[^"]+)">([A-Z]+-\d+)<\/a>/g;
-          let match;
-          while ((match = htmlLinkPattern.exec(comment.body || "")) !== null) {
-            const url = match[1];
-            const name = match[2];
-            if (!name || !url) {
-              continue;
-            }
-            const urlParts = url.split("/");
-            const titleSlug = urlParts[urlParts.length - 1] || "";
-            const title = titleSlug.replace(/-/g, " ");
-            tickets.push({ name, title, url });
-          }
-          const markdownLinkPattern = /\[([A-Z]+-\d+)\]\((https:\/\/linear\.app\/[^)]+)\)/g;
-          while ((match = markdownLinkPattern.exec(comment.body || "")) !== null) {
-            const name = match[1];
-            const url = match[2];
-            if (tickets.some((t) => t.name === name && t.url === url)) {
-              continue;
-            }
-            if (!name || !url) {
-              continue;
-            }
-            const urlParts = url.split("/");
-            const titleSlug = urlParts[urlParts.length - 1] || "";
-            const title = titleSlug.replace(/-/g, " ");
-            tickets.push({ name, title, url });
+  /**
+   * Parse a Linear ticket from URL and name
+   * Returns null if invalid or missing data
+   */
+  _parseLinearTicket(url, name) {
+    if (!name || !url) return null;
+    const urlParts = url.split("/");
+    const titleSlug = urlParts[urlParts.length - 1] || "";
+    const title = titleSlug.replace(/-/g, " ");
+    return { name, title, url };
+  }
+  /**
+   * Extract Linear ticket links from pre-fetched comments (pure function, no API calls)
+   */
+  _extractLinearTicketsFromComments(comments) {
+    const tickets = [];
+    const seen = /* @__PURE__ */ new Set();
+    for (const comment of comments) {
+      if (comment.author?.login === "linear[bot]" || comment.author?.type === "Bot") {
+        const body = comment.body || "";
+        const htmlPattern = /<a href="(https:\/\/linear\.app\/[^"]+)">([A-Z]+-\d+)<\/a>/g;
+        let match;
+        while ((match = htmlPattern.exec(body)) !== null) {
+          const ticket = this._parseLinearTicket(match[1], match[2]);
+          if (ticket && !seen.has(`${ticket.name}|${ticket.url}`)) {
+            seen.add(`${ticket.name}|${ticket.url}`);
+            tickets.push(ticket);
           }
         }
-      }
-      return tickets;
-    } catch (error) {
-      return [];
-    }
-  }
-  async _calculateChangedLinesFromPR(owner, repo, prNumber) {
-    try {
-      const diffRes = await this.githubSdk.getPrDiff({
-        owner,
-        repo,
-        pull_number: prNumber
-      });
-      const diff = z21.string().parse(diffRes.data);
-      let added = 0;
-      let removed = 0;
-      const lines = diff.split("\n");
-      for (const line of lines) {
-        if (line.startsWith("+") && !line.startsWith("+++")) {
-          added++;
-        } else if (line.startsWith("-") && !line.startsWith("---")) {
-          removed++;
+        const markdownPattern = /\[([A-Z]+-\d+)\]\((https:\/\/linear\.app\/[^)]+)\)/g;
+        while ((match = markdownPattern.exec(body)) !== null) {
+          const ticket = this._parseLinearTicket(match[2], match[1]);
+          if (ticket && !seen.has(`${ticket.name}|${ticket.url}`)) {
+            seen.add(`${ticket.name}|${ticket.url}`);
+            tickets.push(ticket);
+          }
         }
       }
-      return { added, removed };
-    } catch (error) {
-      return { added: 0, removed: 0 };
     }
+    return tickets;
   }
   /**
    * Optimized helper to parse added line numbers from a unified diff patch
@@ -8605,48 +8816,59 @@ var GithubSCMLib = class extends SCMLib {
     return addedLines;
   }
   /**
-   * Attribute lines in a single file to their commits using blame
+   * Process blame data for a single file to attribute lines to commits
+   * Uses pre-fetched blame data instead of making API calls
    */
-  async _attributeFileLines(file, headRef, prCommitShas) {
-    try {
-      const blame = await this.getRepoBlameRanges(headRef, file.filename);
-      const addedLines = this._parseAddedLinesFromPatch(file.patch);
-      const addedLinesSet = new Set(addedLines);
-      const fileAttributions = [];
-      for (const blameRange of blame) {
-        if (!prCommitShas.has(blameRange.commitSha)) {
-          continue;
-        }
-        for (let lineNum = blameRange.startingLine; lineNum <= blameRange.endingLine; lineNum++) {
-          if (addedLinesSet.has(lineNum)) {
-            fileAttributions.push({
-              file: file.filename,
-              line: lineNum,
-              commitSha: blameRange.commitSha
-            });
-          }
+  _processFileBlameSafe(file, blameData, prCommitShas) {
+    const addedLines = this._parseAddedLinesFromPatch(file.patch);
+    const addedLinesSet = new Set(addedLines);
+    const fileAttributions = [];
+    for (const blameRange of blameData) {
+      if (!prCommitShas.has(blameRange.commitSha)) {
+        continue;
+      }
+      for (let lineNum = blameRange.startingLine; lineNum <= blameRange.endingLine; lineNum++) {
+        if (addedLinesSet.has(lineNum)) {
+          fileAttributions.push({
+            file: file.filename,
+            line: lineNum,
+            commitSha: blameRange.commitSha
+          });
         }
       }
-      return fileAttributions;
-    } catch (error) {
-      return [];
     }
+    return fileAttributions;
   }
   /**
    * Optimized helper to attribute PR lines to commits using blame API
-   * Parallel blame queries for minimal API call time
+   * Batch blame queries for minimal API call time (1 call instead of M calls)
    */
   async _attributeLinesViaBlame(headRef, changedFiles, prCommits) {
     const prCommitShas = new Set(prCommits.map((c) => c.commitSha));
     const filesWithAdditions = changedFiles.filter(
       (file) => file.patch?.includes("\n+")
     );
-    const attributions = await Promise.all(
-      filesWithAdditions.map(
-        (file) => this._attributeFileLines(file, headRef, prCommitShas)
-      )
-    );
-    return attributions.flat();
+    if (filesWithAdditions.length === 0) {
+      return [];
+    }
+    const { owner, repo } = parseGithubOwnerAndRepo(this.url);
+    const blameMap = await this.githubSdk.getBlameBatch({
+      owner,
+      repo,
+      ref: headRef,
+      filePaths: filesWithAdditions.map((f) => f.filename)
+    });
+    const allAttributions = [];
+    for (const file of filesWithAdditions) {
+      const blameData = blameMap.get(file.filename) || [];
+      const fileAttributions = this._processFileBlameSafe(
+        file,
+        blameData,
+        prCommitShas
+      );
+      allAttributions.push(...fileAttributions);
+    }
+    return allAttributions;
   }
 };
 
@@ -13046,6 +13268,145 @@ import path11 from "path";
 import chalk9 from "chalk";
 import { withFile } from "tmp-promise";
 import z31 from "zod";
+
+// src/utils/sanitize-sensitive-data.ts
+import { OpenRedaction } from "@openredaction/openredaction";
+import { spawn } from "child_process";
+import { installGitleaks } from "gitleaks-secret-scanner/lib/installer.js";
+var openRedaction = new OpenRedaction();
+var gitleaksBinaryPath = null;
+async function initializeGitleaks() {
+  try {
+    gitleaksBinaryPath = await installGitleaks({ version: "8.27.2" });
+    return gitleaksBinaryPath;
+  } catch {
+    return null;
+  }
+}
+var gitleaksInitPromise = initializeGitleaks();
+async function detectSecretsWithGitleaks(text) {
+  const secrets = /* @__PURE__ */ new Set();
+  const binaryPath = gitleaksBinaryPath || await gitleaksInitPromise;
+  if (!binaryPath) {
+    return secrets;
+  }
+  return new Promise((resolve) => {
+    const gitleaks = spawn(
+      binaryPath,
+      [
+        "detect",
+        "--pipe",
+        "--no-banner",
+        "--exit-code",
+        "0",
+        "--report-format",
+        "json"
+      ],
+      {
+        stdio: ["pipe", "pipe", "ignore"]
+      }
+    );
+    let output = "";
+    gitleaks.stdout.on("data", (data) => {
+      output += data.toString();
+    });
+    gitleaks.on("close", () => {
+      try {
+        const findings = JSON.parse(output);
+        if (Array.isArray(findings)) {
+          for (const finding of findings) {
+            if (finding.Secret) {
+              secrets.add(finding.Secret);
+            }
+          }
+        }
+      } catch {
+      }
+      resolve(secrets);
+    });
+    gitleaks.on("error", () => {
+      resolve(secrets);
+    });
+    gitleaks.stdin.write(text);
+    gitleaks.stdin.end();
+  });
+}
+function maskString(str, showStart = 2, showEnd = 2) {
+  if (str.length <= showStart + showEnd) {
+    return "*".repeat(str.length);
+  }
+  return str.slice(0, showStart) + "*".repeat(str.length - showStart - showEnd) + str.slice(-showEnd);
+}
+async function sanitizeDataWithCounts(obj) {
+  const counts = {
+    pii: { total: 0, high: 0, medium: 0, low: 0 },
+    secrets: 0
+  };
+  const sanitizeString = async (str) => {
+    let result = str;
+    const piiDetections = openRedaction.scan(str);
+    if (piiDetections && piiDetections.total > 0) {
+      const allDetections = [
+        ...piiDetections.high,
+        ...piiDetections.medium,
+        ...piiDetections.low
+      ];
+      const filteredDetections = allDetections.filter((detection) => {
+        if (detection.type === "INSTAGRAM_USERNAME") {
+          return false;
+        }
+        if (detection.value.length < 3 && detection.severity !== "high") {
+          return false;
+        }
+        return true;
+      });
+      for (const detection of filteredDetections) {
+        counts.pii.total++;
+        if (detection.severity === "high") counts.pii.high++;
+        else if (detection.severity === "medium") counts.pii.medium++;
+        else if (detection.severity === "low") counts.pii.low++;
+        const masked = maskString(detection.value);
+        result = result.replaceAll(detection.value, masked);
+      }
+    }
+    const secrets = await detectSecretsWithGitleaks(result);
+    counts.secrets += secrets.size;
+    for (const secret of secrets) {
+      const masked = maskString(secret);
+      result = result.replaceAll(secret, masked);
+    }
+    return result;
+  };
+  const sanitizeRecursive = async (data) => {
+    if (typeof data === "string") {
+      return sanitizeString(data);
+    } else if (Array.isArray(data)) {
+      return Promise.all(data.map((item) => sanitizeRecursive(item)));
+    } else if (data instanceof Error) {
+      return data;
+    } else if (data instanceof Date) {
+      return data;
+    } else if (typeof data === "object" && data !== null) {
+      const sanitized = {};
+      const record = data;
+      for (const key in record) {
+        if (Object.prototype.hasOwnProperty.call(record, key)) {
+          sanitized[key] = await sanitizeRecursive(record[key]);
+        }
+      }
+      return sanitized;
+    }
+    return data;
+  };
+  const sanitizedData = await sanitizeRecursive(obj);
+  return { sanitizedData, counts };
+}
+async function sanitizeData(obj) {
+  const result = await sanitizeDataWithCounts(obj);
+  return result.sanitizedData;
+}
+
+// src/args/commands/upload_ai_blame.ts
 var PromptItemZ = z31.object({
   type: z31.enum(["USER_PROMPT", "AI_RESPONSE", "TOOL_EXECUTION", "AI_THINKING"]),
   attachedFiles: z31.array(
@@ -13114,15 +13475,32 @@ async function uploadAiBlameHandlerFromExtension(args) {
     aiResponseAt: [],
     blameType: []
   };
+  let promptsCounts;
+  let inferenceCounts;
+  let promptsUUID;
+  let inferenceUUID;
   await withFile(async (promptFile) => {
+    const promptsResult = await sanitizeDataWithCounts(args.prompts);
+    promptsCounts = promptsResult.counts;
+    promptsUUID = path11.basename(promptFile.path, path11.extname(promptFile.path));
     await fsPromises3.writeFile(
       promptFile.path,
-      JSON.stringify(args.prompts, null, 2),
+      JSON.stringify(promptsResult.sanitizedData, null, 2),
       "utf-8"
     );
     uploadArgs.prompt.push(promptFile.path);
     await withFile(async (inferenceFile) => {
-      await fsPromises3.writeFile(inferenceFile.path, args.inference, "utf-8");
+      const inferenceResult = await sanitizeDataWithCounts(args.inference);
+      inferenceCounts = inferenceResult.counts;
+      inferenceUUID = path11.basename(
+        inferenceFile.path,
+        path11.extname(inferenceFile.path)
+      );
+      await fsPromises3.writeFile(
+        inferenceFile.path,
+        inferenceResult.sanitizedData,
+        "utf-8"
+      );
       uploadArgs.inference.push(inferenceFile.path);
       uploadArgs.model.push(args.model);
       uploadArgs.toolName.push(args.tool);
@@ -13131,6 +13509,12 @@ async function uploadAiBlameHandlerFromExtension(args) {
       await uploadAiBlameHandler(uploadArgs, false);
     });
   });
+  return {
+    promptsCounts,
+    inferenceCounts,
+    promptsUUID,
+    inferenceUUID
+  };
 }
 async function uploadAiBlameHandler(args, exitOnError = true) {
   const prompts = args.prompt || [];
@@ -13177,8 +13561,11 @@ async function uploadAiBlameHandler(args, exitOnError = true) {
   const authenticatedClient = await getAuthenticatedGQLClient({
     isSkipPrompts: true
   });
-  const initRes = await authenticatedClient.uploadAIBlameInferencesInitRaw({
+  const sanitizedSessions = await sanitizeData(
     sessions
+  );
+  const initRes = await authenticatedClient.uploadAIBlameInferencesInitRaw({
+    sessions: sanitizedSessions
   });
   const uploadSessions = initRes.uploadAIBlameInferencesInit?.uploadSessions ?? [];
   if (uploadSessions.length !== sessions.length) {
@@ -13222,8 +13609,11 @@ async function uploadAiBlameHandler(args, exitOnError = true) {
       blameType: s.blameType
     };
   });
+  const sanitizedFinalizeSessions = await sanitizeData(
+    finalizeSessions
+  );
   const finRes = await authenticatedClient.finalizeAIBlameInferencesUploadRaw({
-    sessions: finalizeSessions
+    sessions: sanitizedFinalizeSessions
   });
   const status = finRes?.finalizeAIBlameInferencesUpload?.status;
   if (status !== "OK") {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mobbdev",
-  "version": "1.1.6",
+  "version": "1.1.8",
   "description": "Automated secure code remediation tool",
   "repository": "git+https://github.com/mobb-dev/bugsy.git",
   "main": "dist/index.mjs",
@@ -56,6 +56,7 @@
     "@modelcontextprotocol/sdk": "1.21.1",
     "@octokit/core": "5.2.0",
     "@octokit/request-error": "5.1.1",
+    "@openredaction/openredaction": "1.0.4",
     "adm-zip": "0.5.16",
     "axios": "1.13.2",
     "azure-devops-node-api": "15.1.1",
@@ -67,6 +68,7 @@
     "debug": "4.4.3",
     "dotenv": "16.6.1",
     "extract-zip": "2.0.1",
+    "gitleaks-secret-scanner": "1.2.2",
     "globby": "14.1.0",
     "graphql": "16.12.0",
     "graphql-request": "6.1.0",